b"September 2006\nReport No. 06-017\n\n\nDRR\xe2\x80\x99s Protection of Bank Employee\nand Customer Personally Identifiable\nInformation\n\x0c                                                                                                   Report No. 06-017\n                                                                                                    September 2006\n\n\n                                   DRR\xe2\x80\x99s Protection of Bank Employee and Customer\n                                   Personally Identifiable Information\n                                   Results of Audit\nBackground and\nPurpose of Audit                   Overall, through various policies and procedures, DRR has established certain\n                                   controls over the resolution and receivership process addressing the protection of\nThe FDIC\xe2\x80\x99s Division of             sensitive bank employee and customer personally identifiable information.\nResolutions and Receiverships      Among the policies and procedures is DRR\xe2\x80\x99s Failed Financial Institution Closing\n(DRR) has primary                  Manual, which identifies the responsibilities of key DRR officials and highlights\nresponsibility for resolving       certain important controls for securing and establishing accountability for\nfailed FDIC-insured                sensitive information. During our review of documentation supporting the four\ndepository institutions            most recent institution closings, we found that DRR had implemented the controls\npromptly, efficiently, and         as designed.\nresponsively in order to\nmaintain public confidence in      However, given the increased risks associated with, and attention being placed on,\nthe nation\xe2\x80\x99s financial system.     identity theft, we identified opportunities for DRR to strengthen controls over its\nIn performing their duties,        handling of sensitive bank employee and customer personally identifiable\nDRR personnel have access to       information obtained during the resolution and receivership process. In\na wide variety of records          particular, DRR had not established a Records Management Program that defines\ncontaining personally              recordkeeping requirements for the inventory, maintenance, control, and use of\nidentifiable information of a      hardcopy documents. As a result, personally identifiable information could be at\nbank\xe2\x80\x99s employees and               increased risk of compromise or unauthorized use.\ncustomers. The adequacy of\nDRR\xe2\x80\x99s controls over such           Further, other matters came to our attention during the audit relating to the\ninformation has become more        FDIC\xe2\x80\x99s contract with Iron Mountain, Inc. for off-site records storage and the\nimportant with the increased       FDIC\xe2\x80\x99s overall Records Management Program administered by the Division of\nattention on the issue of          Administration (DOA). We provided these matters for DOA consideration in its\nidentify theft.                    current effort to draft an FDIC records management manual.\n\nThe overall objective of the       Recommendation\naudit was to determine\nwhether DRR adequately             The report recommends that DRR work with DOA, and other cognizant FDIC\nprotects personally identifiable   divisions and offices, in developing a DRR Records Management Program that\ninformation collected and          would include guidelines for the inventory, maintenance, use, and control of\nmaintained as a result of          hardcopy records containing personally identifiable information from failed\nresolution and receivership        institutions. DRR management concurred with the recommendation and is\nfunctions. We focused our          forming a working group, which, in consultation with DOA and others, will\nattention on DRR efforts to        develop records management guidance specific to their needs.\nprotect information maintained\nin hardcopy form. We intend        With regard to the other matters discussed in the report, DOA management\nto conduct a future audit that     indicated it is taking appropriate actions to address issues associated with the Iron\nmore fully addresses DRR\xe2\x80\x99s         Mountain, Inc. contract. Additionally, DOA will evaluate our information\ncontrols over personally           regarding the overall Records Management Program as the division continues to\nidentifiable information in        improve the program.\nelectronic form.\n_______________________\nTo view the full report, go to\nwww.fdicig.gov/2006reports.asp\n\x0c\x0cBACKGROUND\n\nWithin the FDIC, DRR has the primary responsibility for resolving failing FDIC-insured\ndepository institutions promptly, efficiently, and responsively in order to maintain public\nconfidence in the nation\xe2\x80\x99s financial system. In performing their duties, DRR personnel\nhave access to a wide variety of records containing personally identifiable information of\na bank\xe2\x80\x99s employees and customers. Such records include: bank employee payroll\nrecords, customer deposit records, and customer loan records.\n\nDRR\xe2\x80\x99s Bank Resolution Process\n\nDRR\xe2\x80\x99s Failed Financial Institution Closing Manual (Closing Manual) contains\nprocedures for closing an FDIC-insured financial institution when the institution is placed\ninto receivership. Although the Closing Manual is not intended to provide detailed,\ntechnical explanations of tasks to be performed (such detail is contained in other FDIC\nmanuals and directives), the Closing Manual does provide closing procedures and\nguidelines for each program area participating in the closing. Based on the Closing\nManual, other manuals and directives, and interviews with DRR officials, the summary\nbelow briefly outlines DRR\xe2\x80\x99s bank resolution process and provides a general overview of\nthe types of bank employee and customer personally identifiable information that may\ncome into DRR\xe2\x80\x99s possession both during and after the closing of a failing FDIC-insured\ninstitution.\n\n\xe2\x80\xa2   At the outset of the resolution process, DRR\xe2\x80\x99s Business Information Systems Section\n    (BIS) receives a download of an institution\xe2\x80\x99s electronic records from either the failing\n    institution\xe2\x80\x99s computer system or its data processing servicer, if one was used.\n    Generally, this download consists of loan files, deposit account files, employee\n    personnel files, and accounting files and may contain such bank employee and\n    customer personally identifiable information such as name, address, Social Security\n    number (SSN), and account number and balance. BIS makes this information\n    available to other DRR operating groups that use the information to carry out closing-\n    related tasks. (Other DRR operating groups include: Institution Sales, Asset Sales,\n    Claims, Investigations, and General Accounting.)\n\n\xe2\x80\xa2   From the download, DRR\xe2\x80\x99s Pro Forma Team2 creates a closing trial balance\n    consisting of all the institution\xe2\x80\x99s assets and liabilities passing on to the FDIC in its\n    capacity as receiver. This trial balance becomes the beginning inventory of the\n    resulting receivership.\n\n\xe2\x80\xa2   DRR Institution Sales personnel use the downloaded data to establish estimates of the\n    values of the institution\xe2\x80\x99s franchise and its assets for marketing purposes. In\n    performing this work, Institution Sales may share bank information with prospective\n    bidders of the bank franchise and any contractor that may be assisting with the sale.\n\n2\n DRR\xe2\x80\x99s Pro Forma Team is comprised of the Financial Manager, Pro Forma Team Leader, Pro Forma\nsupport staff, and a tax specialist. The purpose of the Pro Forma Team is to produce an accurate adjusted\nStatement of Condition of the failed institution.\n\n\n                                                     2\n\x0c\xe2\x80\xa2   DRR\xe2\x80\x99s Asset Sales, Claims, Investigations, and General Accounting groups work\n    with the bank records in both hardcopy and electronic format to carry out closing-\n    related responsibilities. Records that are needed for DRR\xe2\x80\x99s ongoing resolution\n    process (such as loan files and employee records) are shipped to the Dallas Regional\n    Office where they are stored until no longer needed. As with Institution Sales, Asset\n    Sales may share certain bank information with potential purchasers when conducting\n    resolution-related work.\n\nFederal Laws and Guidance Related to the Protection of Personally Identifiable\nInformation\n\nThe primary statute that regulates the federal government use of personally identifiable\ninformation is the Privacy Act of 1974. The Privacy Act covers a broad range of privacy-\nrelated issues, but there are two elements that apply specifically to our audit objective.\nThe FDIC, according to the Act, is responsible for (1) maintaining in its systems of\nrecords only such information necessary and relevant to the function the Corporation is\nrequired to perform either by statute or by executive order of the President and\n(2) establishing reasonable administrative, technical, and physical safeguards to assure\nthat records are disclosed only to those who are authorized to have access.\n\nThe Privacy Act has been augmented by a number of other laws, regulations, and\nguidance, including the E-Government Act of 2002, which includes the Federal\nInformation Security Management Act of 2002 (FISMA); Section 522 of the\nTransportation, Treasury, Independent Agencies, and General Government\nAppropriations Act, 2005 (Section 522);3 OMB Circular No. A-130, Management of\nFederal Information Resources, Appendix I, Federal Agency Responsibilities for\nMaintaining Records About Individuals; and OMB\xe2\x80\x99s Memorandum, M-03-22, OMB\nGuidance for Implementing the Privacy Provisions of the E-Government Act of 2002.\nThese laws and regulations require government agencies to enhance and, in several cases,\nreport on their privacy programs.\n\nThe E-Government Act of 2002 provides protection for personally identifiable\ninformation in government information systems or information collections by requiring\nthat agencies conduct Privacy Impact Assessments (PIA).4 In general, agencies must\nconduct a PIA before (1) developing or procuring information technology that collects,\nmaintains, or disseminates information that is in a personally identifiable form or\n(2) initiating any new electronic data collections containing personal information on 10 or\nmore individuals other than federal employees and agencies. Among other actions that\nshould require a PIA, according to guidance from OMB, is the significant merging of\ninformation in databases, for example, in a linking that \xe2\x80\x9cmay aggregate data in ways that\ncreate privacy concerns not previously at issue\xe2\x80\x9d or \xe2\x80\x9cwhen agencies systematically\n3\n This Act is division H of the Consolidated Appropriations Act, 2005.\n4\n The E-Government Act defines a PIA as \xe2\x80\x9can analysis of how information is handled: (i) to ensure\nhandling conforms to applicable legal, regulatory, and policy requirements regarding privacy; (ii) to\ndetermine the risks and effects of collecting, maintaining, and disseminating information in identifiable\nform in an electronic information system; and (iii) to examine and evaluate protections and alternative\nprocesses for handling information to mitigate potential privacy risks.\xe2\x80\x9d\n\n\n                                                      3\n\x0cincorporate into existing information systems databases of information in identifiable\nform purchased or obtained from commercial or public sources.\xe2\x80\x9d Bank employee and\ncustomer information that DRR collects during the resolution and receivership process\nfalls into this category of information.\n\nAppendix II further describes the laws and regulations applicable to DRR\xe2\x80\x99s protection of\npersonally identifiable information.\n\nFederal guidance related to records management has been promulgated by the National\nArchives and Records Administration (NARA).5 Specifically, NARA publishes\nhandbooks, conducts workshops and other training sessions, and furnishes information\nand guidance to federal agencies about the creation of records, their maintenance and use,\nand their disposition. Agencies, in turn, must institute adequate records management\ncontrols over the maintenance and use of records wherever they are located to ensure that\nall records, regardless of format or medium, are organized, classified, and described to\npromote their accessibility and are available for use by all appropriate agency staff for\ntheir authorized retention period. Agencies must ensure that they maintain adequate\ninformation about their records moved to an off-site records storage facility. Also,\nagencies must ensure the proper, authorized disposition of their records and must\nperiodically evaluate records management programs.\n\nFDIC\xe2\x80\x99s Records Management Program and Efforts to Address the Protection of\nPersonally Identifiable Information\n\nThe FDIC\xe2\x80\x99s Division of Administration (DOA) administers a corporate-wide Records\nManagement Program and, as a matter of policy, complies with the policies and\nprocedures promulgated by NARA. DOA records management policies and procedures\napply to all FDIC divisions and offices and govern the management of records created in\nthe course of conducting business and records received by the FDIC from failed financial\ninstitutions. DOA facilitates the records disposition and storage process through its\nRecords Management Unit and designates division and office Records Liaisons to\ncooperate with the DOA Records Manager serving their respective geographic locations.\n\nFor active records, FDIC operating divisions, such as DRR, are required to develop their\nown policies and procedures regarding inventory, handling, and storage practices.\nAdditionally, according to FDIC Circular 1210.18, FDIC Records Management\nProgram:\n\n        Division and Office Directors shall support the FDIC Records Management\n        Program as follows: (1) designate a records liaison who shall work with\n        appropriate Records Manager in implementing policies and procedures;\n        (2) promote the creation of adequate documentation throughout their organization\n\n5\n  Under the National Archives and Records Administration Act of 1984, NARA is responsible for\npromulgating records management regulations related to the adequacy of documentation and records\ndisposition. The Act and regulations promulgated thereunder are not legally binding on the FDIC, but the\nFDIC intends to follow them as a matter of policy.\n\n\n                                                    4\n\x0c       by defining the recordkeeping requirements for their programs in procedural\n       manuals or other documentation. Recordkeeping requirements define the kinds of\n       records each division or office should create and maintain to document their\n       business activities; and (3) establish records management programs within their\n       organizations that are consistent with FDIC policy and executed by division and\n       office staff.\n\nIn accordance with Section 522, in March 2005, the FDIC appointed a Chief Privacy\nOfficer (CPO), within the Division of Information Technology (DIT), with overall\nresponsibility for the Corporation\xe2\x80\x99s Privacy Program and designated a Privacy Program\nManager to support the CPO in developing and implementing corporate privacy\nrequirements. The objective of the Privacy Program is to ensure that the FDIC is taking\nappropriate steps to protect personally identifiable information from unauthorized use,\naccess, disclosure, or sharing and to protect associated information systems from\nunauthorized access, modification, disruption, or destruction.\n\nThe FDIC has issued a wide range of guidance to its employees on privacy-related\nmatters. Specifically, DIT has issued a series of e-mails corporate-wide related to\nprivacy and has established a Privacy Program Web site to assist employees in\nunderstanding the Privacy Act and the privacy policies of the Corporation. Further, as\npart of establishing a security program, the FDIC has developed and implemented several\nsecurity-related directives. The following are most applicable to the protection of\npersonally identifiable information:\n\n   \xe2\x80\xa2   FDIC Circular 1031.1 \xe2\x80\x93 Administration of the Privacy Act.\n\n   \xe2\x80\xa2   FDIC Circular 1301.3 \xe2\x80\x93 Data Stewardship Program.\n\n   \xe2\x80\xa2   FDIC Circular 1310.3 \xe2\x80\x93 Information Technology Security Risk Management\n       Program.\n\n   \xe2\x80\xa2   FDIC Circular 1360.1 \xe2\x80\x93 Automated Information Systems (AIS) Security Program.\n\n   \xe2\x80\xa2   FDIC Circular 1360.8 \xe2\x80\x93 Information Security Categorization.\n\n   \xe2\x80\xa2   FDIC Circular 1360.15 \xe2\x80\x93 Access Control for Automated Information Systems.\n\nThe circulars are summarized in Appendix II. As discussed previously, our audit did not\nfocus on controls over personally identifiable information in electronic form and related\ninformation technology controls.\n\n\n\n\n                                            5\n\x0cRESULTS OF AUDIT\n\nOverall, through various policies and procedures, DRR has established certain controls\nover the resolution and receivership process, addressing the protection of bank employee\nand customer personally identifiable information. Among the policies and procedures is\nthe DRR Closing Manual, which identifies the responsibilities of key DRR officials and\nhighlights certain important controls for securing and establishing accountability for\nsensitive information that is collected and maintained during the resolution and\nreceivership process. During our review of documentation supporting the four most\nrecent institution closings,6 we found that DRR had implemented the controls as\ndesigned.\n\nHowever, given the increased risks associated with, and attention being placed on,\nidentity theft, we found opportunities for DRR to strengthen controls over its handling of\nbank employee and customer personally identifiable information obtained during the\nresolution and receivership process.\n\n      \xe2\x80\xa2   DRR has not established a Records Management Program that clearly defines\n          recordkeeping requirements for the inventory, maintenance, use, and control of\n          hardcopy records containing personally identifiable information from failed\n          institutions. Specific recordkeeping practices used by various DRR operating\n          groups differed based on business needs and other circumstances but, in most\n          cases, were not fully adequate. Further, in a broader view, DRR employees may\n          not be sufficiently aware of division-specific recordkeeping requirements,\n          including those designed to ensure that personally identifiable information is\n          adequately secured. As a result, personally identifiable information could be at\n          increased risk of compromise and unauthorized use (DRR\xe2\x80\x99s Records\n          Management Program and Controls over Hardcopy Documents).\n\n      \xe2\x80\xa2   When we began our audit field work, DRR had not completed PIAs on certain\n          systems containing personally identifiable information because DIT had initially\n          identified only those systems containing Taxpayer Identification Numbers (TIN)\n          as requiring PIAs. As a result, DRR had not ensured that privacy protections and\n          Privacy Act requirements were fully considered for DRR systems containing\n          personally identifiable information. However, based on our audit work, DRR\n          took prompt action to assess the need for and, when necessary, to complete PIAs\n          on additional DRR systems (Privacy Impact Assessments).\n\nFinally, other matters came to our attention during the audit relating to the FDIC\xe2\x80\x99s\ncontract with Iron Mountain, Inc. (Iron Mountain) for off-site records storage and the\nFDIC\xe2\x80\x99s overall Records Management Program administered by DOA. With respect to\nthe Iron Mountain contract, we found that improvements to certain key controls would\nincrease assurance that Iron Mountain adequately protects the confidentiality of\npersonally identifiable information and better protect the Corporation\xe2\x80\x99s interests should a\nbreach of such information occur. Regarding the FDIC\xe2\x80\x99s Records Management Program,\n6\n    The closings occurred from February 14, 2004 to June 25, 2004.\n\n\n                                                     6\n\x0cDOA could assess the adequacy of the program and consider whether: sufficient\nattention is given to the management of active records, records management training\nshould be strengthened, and corporate evaluations of the effectiveness of the Records\nManagement Program are adequate.\n\n\nDRR\xe2\x80\x99S RECORDS MANAGEMENT PROGRAM AND CONTROLS OVER\nHARDCOPY DOCUMENTS\n\nDRR policies and procedures establish controls over the resolution and receivership\nprocess addressing the custody of records containing bank employee and customer\npersonally identifiable information. However, DRR has not established a Records\nManagement Program that clearly defines recordkeeping requirements for the inventory,\nmaintenance, use, and control of hardcopy records containing personally identifiable\ninformation from failed institutions. Further, the adequacy of the practices for handling\nhardcopy documents containing bank employee and customer personally identifiable\ninformation varied within five DRR operating groups. As a result, documents containing\nsensitive information under DRR\xe2\x80\x99s control were at greater risk to possible compromise\nand unauthorized use.\n\nRecords Management Program\n\nFDIC Circular 1210.18 requires division and office directors to support the FDIC\nRecords Management Program by \xe2\x80\x9cEstablish[ing] records management programs within\ntheir organizations that are consistent with FDIC policy and executed by division and\noffice staff.\xe2\x80\x9d DRR has designated a records liaison as required by the circular and has\nissued some guidance in the area of records management, covering such topics as:\n(1) protecting borrower identity, (2) requests by debtors for copies of loan-related\ndocuments, and (3) information systems security responsibilities. However, DRR has not\ndeveloped a records management program unique to its business needs to manage records\nand ensure records security.\n\nCircular 1210.18 generally states that FDIC divisions and offices should establish the\nfollowing recordkeeping requirements:\n\n   \xe2\x80\xa2   Documentation of important business decisions reached orally during telephone\n       conversations or in meetings.\n\n   \xe2\x80\xa2   Documentation on formal meetings of committees and task forces that include the\n       materials distributed, decisions reached, and subsequent actions.\n\n   \xe2\x80\xa2   Working files such as preliminary drafts, rough notes, and other similar materials,\n       which shall be maintained for the purpose of adequate and proper documentation\n       if such materials (1) were circulated or made available to employees, other than\n       the creator, for official purposes such as approval, comment, action,\n       recommendation, or follow-up or to communicate with agency staff about agency\n\n\n                                            7\n\x0c       business; or (2) contain unique information, such as substantive annotations or\n       comments, that adds to a sufficient understanding of the FDIC\xe2\x80\x99s formulation and\n       execution of policies, decisions, actions, or responsibilities.\n\n   \xe2\x80\xa2   Provisions in FDIC contracts requiring the contractor to provide any program or\n       administrative documentation needed by the FDIC for effective management and\n       for documenting the work performed by a vendor.\n\nFurther, the circular requires FDIC employees to ensure that their files are complete and\naccessible only to authorized individuals by implementing division or office guidelines\nfor securing confidential information.\n\nIn developing guidance for its staff regarding records management, DRR could consider\nguidance issued by the Division of Finance (DOF) in a memorandum entitled, Managing\nDOF\xe2\x80\x99s Confidential Records, dated August 15, 2005. The guidance provided all DOF\nemployees with (1) a definition of confidential records; (2) descriptive examples of what\nwould constitute confidential records; and (3) general guidelines on managing\nconfidential records, including such practices as maintaining records in locked areas and\nrouting documents in sealed folders.\n\nDRR Controls Over Hardcopy Documents\n\nDRR is the custodian of records taken from a failed financial institution at closing as well\nas records generated during the resolution process. As custodian, DRR is responsible for\nproperly managing these failed institution records. This responsibility encompasses all\nmanagerial activities involved with respect to the creation, inventory, maintenance, use,\nand disposition of the records. Of particular concern to us during this audit was DRR\xe2\x80\x99s\ninventorying, handling, storing, and disposing of failed institution records containing\npersonally identifiable information.\n\nControls Over Hardcopy Documents DRR Obtained and Generated at Closings. The\ninstitution closing files developed for each of the four failed institutions we reviewed\ncontained evidence that DRR maintained adequate custody over bank records (including\nloan, collateral, payroll, and personnel files). Specifically, the closing files included:\n(1) a written record of the FDIC\xe2\x80\x99s appointment as receiver of the failed institution; (2) if\npertinent, a receipt and inventory of items passed on to an assuming institution; and (3) a\ndetailed listing of the institution\xe2\x80\x99s hardcopy records kept by the FDIC which were\nprimarily loan files, investigation records, and employee records. The closing files also\nincluded exit memorandums, signed by the cognizant DRR managers, which discussed\nthe services closing teams performed and any issues dealt with during the closing\nprocess. However, DRR was not always using the FDIC\xe2\x80\x99s Automated Records\nManagement System (ARMS) for the active asset/credit files of the failed institutions, as\nrequired by Circular 1210.18. We found that only DRR\xe2\x80\x99s Investigations group used\nARMS as an inventory for active records.\n\n\n\n\n                                              8\n\x0cControls Over Hardcopy Documents That DRR Maintains. We assessed each DRR\noperating group\xe2\x80\x99s controls over hardcopy institution documentation in their possession at\nthe time of our audit. We specifically determined whether the groups were: (1) keeping\nrecords in locked file cabinets, (2) storing records in locked file rooms, (3) using sign-out\nsheets when records are removed, and (4) maintaining an inventory of hardcopy records.\nThe following table summarizes our assessment of these controls and shows that the\nadequacy of the control processes varied among the groups.\n\nHardcopy Document Handling and Storage\n                  Locked File                                             Sign-out       Inventory of\n     Group                      Locked File Room\n                   Cabinets                                                Sheets       Active Records\nInstitution Sales    Yes               Yes                                  Yes              N/A\n                          a\nAsset Sales        Yes/No              Yes                                   No              Yes\nClaims               Yes               Yes                                   No              Yes\nInvestigations        No               Yes                                   No              Yes\nGeneral\n                      No               Nob                                   No                N/A\nAccounting\nSource: OIG\xe2\x80\x99s observations and assessment of each group\xe2\x80\x99s practices.\na\n  Asset Sales secured the original loan notes and collateral documents in locked file cabinets; however,\nother documentation was not secured in locked file cabinets.\nb\n  Initially, General Accounting did not secure tax documents and related computer equipment. After our\nvisit, steps were taken to place locks on records storage rooms.\n\nWe recognize that general FDIC security in the Dallas Regional Office includes\nemployee screening, controlled floor access using Smartcard, and building security\npersonnel who guard the building\xe2\x80\x99s main entrances and monitor the floors. We believe,\nhowever, that more could be done to ensure adequate control over personally identifiable\ninformation as discussed in the following narrative.\n\n         Hardcopy Document Handling and Storage by Institution Sales. DRR\nInstitution Sales personnel use information acquired from the BIS electronic download of\nthe bank\xe2\x80\x99s computer system to prepare Information Packages (IP) and to perform Asset\nValuation Reviews (AVR) for valuing and marketing the institution franchise. They\nremove no hardcopy records from the failing bank. During the marketing phase of\nDRR\xe2\x80\x99s structured bidder selection process, approved bidders have access to selected bank\ninformation online through a secure Web site, INTRALINKS.7 Bidders also have the\nopportunity to perform due diligence of the hardcopy loan files on-site at the bank. With\nrespect to these activities, DRR has issued Circular 7220.5, Protecting Borrower Identity,\nwhich states:\n\n        The FDIC will not disclose within databases, lists or spreadsheet summaries the\n        names, addresses or social security numbers (\xe2\x80\x9cIdentity Information\xe2\x80\x9d) of\n        individuals who are borrowers or guarantors to prospective purchasers without\n\n7\n  INTRALINKS is a private Internet-based company DRR engaged to assist in the marketing of failing\ninstitutions. The purpose of establishing a secure Web site is to provide information in an expeditious\nmanner on failing financial institutions to potential acquirers.\n\n\n                                                     9\n\x0c         first, (i) obtaining an executed or assented to FDIC Confidentiality Agreement8 in\n         accordance with the terms of the sale, and (ii) determining that prospective\n         purchaser meets the requirements of Paragraph 5 of this circular.\n\nInstitution Sales developed procedures and a job aid instructing its employees about how\nto oversee the due diligence process. These instructions include: (1) requiring that two\nDRR employees be in attendance at all times and (2) prohibiting prospective bidders\nfrom making copies of any institution records. It should be noted that with respect to\non-site bidder due diligence, DRR has made a business decision to allow bidders to\nreview files that could contain personally identifiable information, such as name, address,\nSSN, and account number.\n\nDuring our walk-through of the Institution Sales offices in Dallas, Texas, we observed\nelements of their controls over hardcopy documents. Specifically, we noted that the\ninternal working documents created from the BIS data for the IP and AVR were stored in\nlocked file cabinets, inside a secure file room. According to Institution Sales officials in\nDallas, three people control access to this secured file room. Further, Institution Sales\nmaintained a sign-out sheet in the file room, requiring that personnel needing to work on\na particular file sign for the file. We found recent activity on the sign-out sheet, thereby\nproviding at least some indication that it was being used.\n\nBecause Institution Sales does not remove individual loan files or any other hardcopy\nrecords from the failed bank, a detailed inventory of employee or customer records under\nits control is not maintained. However, the group does maintain a folder that lists the\ninternal working documents created from the BIS download and used during IP and AVR\nefforts.\n\n        Hardcopy Document Handling and Storage by Asset Sales. DRR Asset Sales\nis responsible for selling a bank\xe2\x80\x99s assets after closure, and Asset Sales personnel are\nsubject to the same policies and job aids as Institution Sales. The original loan notes and\ncollateral documents are reviewed at the bank and reconciled with the bank\xe2\x80\x99s records.\nThe asset sales process includes a due diligence phase that is similar to due diligence\nperformed during the marketing phase of the bidder selection process. The major\ndifference is that the due diligence occurs at the FDIC\xe2\x80\x99s Regional Office in Dallas, Texas,\nas opposed to on-site at the failed institution. Potential bidders are screened and must\nsign confidentiality agreements.\n\nUnlike Institution Sales, Asset Sales takes hardcopy records such as original loan and\ncollateral files from the failed financial institution. Asset Sales reconciles these files to\nthe loans on the books of the institution at the closing. This reconciliation is\naccomplished before the files are shipped to the Dallas Regional Office. The resulting\nloan trial balance becomes the inventory of assets, and a copy of this inventory is placed\nin a Closing Manager\xe2\x80\x99s Book. Asset Sales maintains the hardcopy records in a locked\n\n8\n Confidentiality agreements are executed documents whereby a contractor or third party must ensure the\nconfidentiality of all the information, data, and systems provided by the FDIC or used or obtained by others\nunder the agreement and prevent its inappropriate or unauthorized use or disclosure.\n\n\n                                                    10\n\x0cfile room. The original loan and collateral documents are further secured in locked file\ncabinets inside the locked room, while other asset files are in unlocked file cabinets\ninside the locked file room. Therefore, the other asset files were at a somewhat greater\nrisk of possible misuse.\n\n        Hardcopy Document Handling and Storage by Claims. DRR Claims primarily\ndeals with a failed bank\xe2\x80\x99s deposit information and is responsible for determining the\ninsured and uninsured deposit amounts. Claims starts with the BIS electronic data\ndownload from the bank and, although Claims personnel do not remove any bank records\nfrom the failed financial institution at closing, the working files generated to support the\nclaims process do contain personally identifiable information regarding customers\xe2\x80\x99\ndeposit accounts. Deposit information is loaded into the Receivership Liability System\n(RLS), and the deposit information in RLS becomes the Claims inventory. All hardcopy\ndocuments generated from the electronic records are locked in file cabinets and stored\ninside a secure file room. The file room remains open during the day. Although there is\nno sign-out sheet for the file room, the sign-out card for files has to be placed in the file\ndrawer when files are removed.\n\nOn March 31, 2005, Claims management issued a memorandum to all Claims personnel,\nestablishing standard procedures for the security of system-generated (printed) products\nfrom RLS. The guidance states that if no longer required to be maintained, sensitive\nprinted documents are to be placed in locked containers for shredding. Further, the\nguidance states that sensitive printed data and other storage media documents are not to\nbe left out or in open common areas such as conference rooms and that at night (after\nnormal working hours), such documents are to be placed in the claims specialists\xe2\x80\x99 offices\nor Claims\xe2\x80\x99 file room.\n\n        Hardcopy Document Handling and Storage by Investigations. Personnel from\nDRR Investigations retrieve a wide variety of hardcopy documents during a bank closing.\nThese documents include corporate charters, stock certificates, board meeting minutes,\ninsurance policies, files relative to legal matters involving the bank, certain bank\nemployee payroll and personnel files, and all files pertaining to insider loans or suspected\nfraud. The hardcopy files that Investigations personnel acquire at or after the closing are\nshipped to the Dallas Regional Office and kept in a locked central file room or\nmaintained in an individual investigator\xe2\x80\x99s office. A list of the documents retrieved by\nInvestigations is prepared and placed in the Closing Manager\xe2\x80\x99s Book. At the Dallas\nRegional Office, information from the retrieved documents is loaded into ARMS, and the\ninformation in ARMS becomes the inventory for both active and inactive Investigations\nrecords. We observed that the investigators\xe2\x80\x99 offices were not locked after normal\nworking hours, so anyone having or gaining access to the Dallas Regional Office could\ngain access to these records.\n\nDuring one walk-through of the Investigations\xe2\x80\x99 area in Dallas, we observed that the file\nroom was unlocked during the day. We also noted that Investigations was not making\nuse of a sign-out sheet. After discussing our observations with the Investigations\nmanager, the manager sent the group an e-mail, which stated \xe2\x80\x9cto comply with data\n\n\n\n                                             11\n\x0csecurity requirements, the door to the file room needs to be closed and locked when not\nin use.\xe2\x80\x9d Subsequently, we visited the location and noted that the file room was locked.\n\n        Hardcopy Document Handling and Storage by General Accounting. DRR\xe2\x80\x99s\nGeneral Accounting prepares federal and state tax reporting documents for the\nreceiverships. These reports include Wage and Tax Statements (Forms W-2) to bank\nemployees, Mortgage Interest Statements (Forms 1098) to bank borrowers, and various\nForms 1099 that report such information as interest earned and forgiveness of debt.\nThese documents contain a host of personally identifiable information including name,\naddress, SSN, and balances on customer accounts. General Accounting personnel do not\nremove hardcopy records containing personally identifiable information from the failed\nfinancial institutions. Instead, they use the BIS electronic data download to create the\naforementioned tax information. General Accounting uses two data systems to create this\ntax information\xe2\x80\x94Tax Track for receivership tax returns and Checkrite for Forms W-2,\n1098, and 1099.\n\nWhen we began our audit, General Accounting personnel maintained hard copies of\nForms W-2, 1098, and 1099 in unlocked file cabinets in two unlocked file rooms. Also,\naccording to one tax accountant, tax files were often left overnight in a person\xe2\x80\x99s office\nuntil such time as work was completed and the files were placed into the file cabinets.\nOn December 15, 2005, we brought this situation to DRR management\xe2\x80\x99s attention and,\nsubsequently, locks were installed on the file room doors, thereby addressing that issue.\n\nConclusion\n\nDRR was not fully complying with the requirement in FDIC Circular 1210.18, FDIC\nRecords Management Program, that each division establish a Records Management\nProgram consistent with FDIC policy. DRR has established certain controls in its\nClosing Manual and various other procedures and practices to address security for\npersonally identifiable information. However, DRR could better ensure that adequate\ncontrols are implemented by establishing a Records Management Program that more\nbroadly defines the types of data that should be secured and the proper means of doing\nso. Without these additional controls, personally identifiable information is at greater\nrisk of compromise and unauthorized use.\n\nRecommendation\n\nWe recommend that the Director, DRR, work with DOA, and other cognizant FDIC\ndivisions and offices, in developing a DRR Records Management Program that includes\nguidelines for the inventory, maintenance, use, and control of hardcopy records\ncontaining personally identifiable information from failed institutions.\n\n\n\n\n                                            12\n\x0cCORPORATION COMMENTS AND OIG EVALUATION\n\nOn September 11, 2006, the Director, DRR, provided a written response to the draft of\nthis report. The DRR response is presented in its entirety in Appendix IV. A summary\nof management\xe2\x80\x99s response to the recommendation is in Appendix V.\n\nIn its response, DRR concurred with the recommendation and stated that it is forming a\nworking group, which, in consultation with DOA and others, will develop records\nmanagement guidance specific to their needs. The guidance will address inventorying,\nmaintaining, using, accounting for, and controlling hardcopy records that contain\npersonally identifiable information.\n\nDRR\xe2\x80\x99s planned action is responsive to our recommendation. Accordingly, the\nrecommendation is resolved but will remain open until we have determined the agreed-to\ncorrective action has been completed and is effective.\n\n\nPRIVACY IMPACT ASSESSMENTS\n\nBased on our review of DRR\xe2\x80\x99s inventory of automated systems and discussions with\nDRR officials, we determined that as of October 2005, DRR had completed PIAs for only\n12 of 27 data systems that could have contained personally identifiable information. This\nshortfall occurred because DRR had completed PIAs only on DRR data systems that DIT\nhad initially identified as containing Taxpayer Identification Numbers (TIN). As a result\nof this narrow focus, DRR may not have been in full compliance with the E-Government\nAct of 2002, which we concluded requires that DRR conduct PIAs on all DRR data\nsystems containing bank customer and employee personally identifiable information.\nPrior to completion of our fieldwork, DRR re-evaluated its systems and conducted PIAs\non all those systems warranting the assessments.\n\nIn addition to the 12 DRR data systems that DIT had initially identified as containing\nTIN information, and for which DRR completed PIAs, we identified 15 other DRR\nsystems that appeared to contain personally identifiable information. For example, DRR\nhad not completed a PIA for its Pension Tracking System (PENTRACK), which is used\nto manage and distribute funds in benefits plans for employees of failed institutions not\nassumed by an acquirer. A PIA was also not completed for the Best Bank Credit Card\nSystem, which is used to administer the credit card portfolio of over 600,000 accounts\ninherited from Best Bank when it failed. Both of these systems appeared to contain\npersonally identifiable information.\n\nAlthough DIT initially focused attention on conducting PIAs on FDIC automated systems\ncontaining TINs, OMB guidance to agencies on implementing privacy provisions of the\nE-Government Act suggests that this definition was too narrowly focused. Specifically,\nOMB guidance states:\n\n\n\n\n                                            13\n\x0c       Information in identifiable form is information in an IT system or online\n       collection: (i) that directly identifies an individual (e.g., name, address, social\n       security number or other identifying number or code, telephone number, e-mail\n       address, etc.) or (ii) by which an agency intends to identify specific individuals in\n       conjunction with other data elements, i.e., indirect identification. (These data\n       elements may include a combination of gender, race, birth date, geographic\n       indicator, and other descriptors.)\n\nIn late November and early December 2005, we met with DIT and DRR officials to\ndiscuss the 15 other DRR data systems that we had identified as possibly containing\npersonally identifiable information. At that time, the officials agreed to reassess the need\nto complete PIAs on these 15 systems and 3 additional systems that the divisions had\nindependently identified as possibly needing PIAs (thus increasing the total number of\nsystems to 30). As of May 23, 2006, DRR had completed 8 additional PIAs for a total of\n20 PIAs related to DRR data systems. DRR notified us that it had determined that the 10\nremaining data systems that are assessed do not warrant PIAs because the systems either\nhave been replaced or do not contain personally identifiable information, and we\nconcurred with DRR\xe2\x80\x99s assessment.\n\nBecause DRR has either completed the required PIAs or determined that PIAs were not\nwarranted for the identified data systems, we are not making a formal recommendation in\nthis report. Additional details on the DRR data systems and PIA status are in\nAppendix III.\n\n\nOTHER MATTERS WARRANTING MANAGEMENT ATTENTION\n\nDuring the course of our audit, we also identified opportunities for the FDIC to improve\ncontrols over the protection of personally identifiable information in two other areas. The\nfirst area relates to the FDIC\xe2\x80\x99s records storage contract with Iron Mountain, and the\nsecond to the FDIC\xe2\x80\x99s overall Records Management Program.\n\nFDIC\xe2\x80\x99s Contract With Iron Mountain\n\nWith respect to the FDIC\xe2\x80\x99s records management storage contract with Iron Mountain, we\nfound that DOA had not (1) executed a confidentiality agreement with Iron Mountain,\n(2) developed a contract oversight management plan, and (3) completed background\ninvestigations on certain Iron Mountain employees. We addressed these matters and\nmade recommendations in Audit Report No. 06-016 entitled, Controls Over the Disposal\nof Sensitive FDIC Information by Iron Mountain, Inc., dated August 10, 2006. As a\nresult, we are not making recommendations in this report regarding the Iron Mountain\ncontract.\n\n\n\n\n                                             14\n\x0cFDIC\xe2\x80\x99s Records Management Program\n\nWe identified opportunities for the FDIC to enhance its overall Records Management\nProgram by more closely complying with existing federal records management guidance\npromulgated by NARA. Specifically, DOA should consider whether (1) sufficient\nattention is given in existing policies and procedures to the management of active\nrecords, (2) records management training needs to be strengthened, and (3) corporate\nevaluations of the Records Management Program are adequate.\n\nAs previously stated, federal guidance related to records management is promulgated by\nNARA. NARA guidance specifies that, among other things, agencies must:\n\n   \xe2\x80\xa2   Institute adequate records management controls over the maintenance and use of\n       records wherever they are located to ensure that all records (active and inactive),\n       regardless of format or medium, are organized, classified, and described to\n       promote their accessibility and make them available for use by all appropriate\n       agency personnel for their authorized retention period.\n\n   \xe2\x80\xa2   Ensure that adequate training is provided to all agency personnel on policies,\n       responsibilities, and techniques for the implementation of recordkeeping\n       requirements.\n\n   \xe2\x80\xa2   Evaluate, periodically, agency Records Management Programs relating to records\n       creation and recordkeeping requirements, maintenance and use of records, and\n       records disposition. These evaluations should determine compliance with NARA\n       requirements, including requirements for storage of agency records and storage\n       facilities, and assess the effectiveness of the agency\xe2\x80\x99s Records Management\n       Program.\n\nFDIC\xe2\x80\x99s Focus on Inactive Records. Circular 1210.18 references the three phases of the\nlife cycle of a record: creation, maintenance, and disposition. However, the circular\ncontains few specific procedures related to the handling of active records. In addition,\nthe FDIC directives on records disposition, records retention and disposition schedules,\nand standards for creating record inventories focus on the handling of inactive records.\nConsequently, as a whole, the FDIC\xe2\x80\x99s Records Management Program may not adequately\nconsider the handling of active records maintained by FDIC divisions and offices. This\nimpacts DRR because it is responsible for handling failed institution records for which\nthe FDIC, as custodian of those records, has responsibility.\n\nAccording to DOA\xe2\x80\x99s Assistant Director, Corporate Support Section, the FDIC\xe2\x80\x99s Records\nManagement Program focuses on inactive records being inventoried and placed into off-\nsite storage. The Assistant Director stated that it is up to the divisions and offices to set\npolicies and procedures for managing records in an active status within their business\nunits.\n\n\n\n\n                                             15\n\x0cFDIC\xe2\x80\x99s Records Management Training. The FDIC does not provide comprehensive\nrecords management training to FDIC employees. Rather, records management training\nis currently limited to training in the inventorying and retrieving of inactive records using\nARMS. Because FDIC personnel are not receiving comprehensive records management\ntraining, personnel may not be sufficiently aware of their responsibilities for handling and\nprotecting records containing personally identifiable information.\n\nWe discussed the issue of records management training with key DOA and DRR\nofficials. The DOA\xe2\x80\x99s Assistant Director, Corporate Support Section, stated that DOA\ndoes not provide records management guidance or training to the division records\nliaisons, although training is available through NARA. DRR Records Liaisons in\nWashington and Dallas told us that that they have received no formal Records\nManagement Program training. Also, we noted no records management training courses\non the Corporate University Web site.\n\nDOA and DRR officials indicated that there is a need for corporate awareness and\ntraining on records management procedures and practices. For example, DRR officials\nstated that the roles of the division Records Liaisons are not well defined, no training\nother than ARMS usage has been offered, and there is no specific guidance for the\nRecords Liaisons on records management issues. However, DOA is reviewing available\nNARA training provided by the U.S. Office of Personnel Management and is considering\nmaking similar training mandatory for all FDIC employees.\n\nRecords Management Program Evaluations. The FDIC has not conducted periodic\nevaluations of its Records Management Program to determine consistency with NARA\nregulations. Rather, DOA has conducted only limited evaluations of records handling.\nFor example, in October 2003, DOA conducted an Administrative Compliance Review,\nwhich measured compliance with established policies and procedures for records being\nshipped out of the Dallas Region to Iron Mountain. This review focused on inactive\nrecords. In October 2005, DOA performed an Internal Control Review to determine\nwhether records were destroyed in accordance with policy. This review also focused on\ninactive records.\n\nAdditionally, DRR has not assessed division records management practices for\ncompliance with NARA requirements. DRR Records Management Liaisons and Internal\nReview officials knew of no periodic assessments of records management practices.\nHowever, the officials told us that DRR\xe2\x80\x99s Senior Management Oversight Committee is\ncompleting an initiative to look at records retention and disposition schedules related to\ninactive records for DRR\xe2\x80\x99s various business groups.\n\nConclusion\n\nThe matters discussed above are beyond the scope of this audit. As a result, the OIG has\nincluded an audit in its fiscal year 2007 Assignment Plan that will address corporate-wide\nrecords management. Accordingly, we are not making recommendations to DOA in this\n\n\n\n\n                                             16\n\x0creport. However, we are providing this information for consideration in the drafting of\nthe FDIC records management manual, which is currently ongoing within DOA.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn September 12, 2006, the Director, DOA, provided a written response to the draft of\nthis report. The DOA response is presented in its entirety in Appendix IV. In its\nresponse, DOA stated that with respect to the Iron Mountain contract issues, DOA\ngenerally agreed with the OIG recommendations made in the OIG report entitled,\nControls Over the Disposal of Sensitive FDIC Information by Iron Mountain, Inc., and is\nin the process of taking the necessary corrective actions. With respect to the records\nmanagement program issues, DOA stated that it has taken steps to establish a control\nframework in the Records Management Program in order to provide the controls to\nmitigate potential risks to the FDIC but recognizes that it is important to continue to\nevaluate and improve upon its business operations. In that regard, DOA indicated that it\nwill consider the information we provided as the division continues to improve the\nProgram.\n\nWe consider DOA\xe2\x80\x99s comments to be responsive to these two matters. As previously\ndiscussed, we will be conducting a future audit in this area and will follow up on DOA\xe2\x80\x99s\nactions at that time.\n\n\n\n\n                                           17\n\x0c                                                                            APPENDIX I\n\n\n                   OBJECTIVE, SCOPE, AND METHODOLOGY\n\nObjective\n\nThe overall audit objective was to determine whether DRR adequately protects\npersonally identifiable information collected and maintained as a result of resolution and\nreceivership functions. In this audit, we focused on DRR efforts to protect information\nmaintained in hardcopy form. We limited our review of DRR\xe2\x80\x99s protection of sensitive\ninformation in electronic form to DRR\xe2\x80\x99s completion of risk assessments associated with\nsystems containing such information.\n\nScope and Methodology\n\nWe performed our audit from July 2005 through March 2006 in accordance with\ngenerally accepted government auditing standards. We performed field work in DRR,\nDOA, and DIT offices in Washington, D.C. In addition, we performed field work in the\nDallas Regional Office to assess the safeguards over handling and storing failed\ninstitutions records currently being maintained by DRR.\n\nTo accomplish our objective, we performed the following:\n\n   \xe2\x80\xa2   Identified criteria used to establish the definition of personally identifiable\n       information.\n   \xe2\x80\xa2   Reviewed relevant criteria including, but not limited to, the Privacy Act of 1974;\n       E-Government Act of 2002; OMB Circular No. A-130; and Section 522 of the\n       Transportation, Treasury, Independent Agencies, and General Government\n       Appropriations Act, 2005.\n   \xe2\x80\xa2   Reviewed the DRR Privacy Act System of Record Notices that contained\n       employee information.\n   \xe2\x80\xa2   Reviewed and discussed with other OIG audit teams the status of activities and\n       initiatives related to the development of a comprehensive privacy program for the\n       Corporation.\n   \xe2\x80\xa2   Reviewed OMB guidance related to conducting PIAs as well as relevant FDIC\n       guidelines. We confirmed that PIAs had been completed on the 20 DRR\n       applications that DRR and DIT determined warranted the assessments.\n   \xe2\x80\xa2   Reviewed DRR\xe2\x80\x99s resolution and receivership policies, procedures, and practices\n       for safeguarding personally identifiable information during the resolution and\n       receivership process.\n   \xe2\x80\xa2   Discussed DRR practices and procedures regarding safeguarding personally\n       identifiable information with each of the DRR operating group managers in the\n       Dallas Regional Office.\n   \xe2\x80\xa2   Observed the operations of the Dallas operating group file storage rooms.\n   \xe2\x80\xa2   Discussed with DRR Business Project officials in Washington, D.C., DRR\n       initiatives for identifying data systems and safeguarding personally identifiable\n       information within the data systems.\n\n\n\n                                            18\n\x0c                                                                             APPENDIX I\n\n\n   \xe2\x80\xa2   Obtained NARA information on records management administration guidance\n       and discussed the Records Management Program with the DRR Records Liaisons\n       in the Dallas Regional Office and DRR headquarters.\n   \xe2\x80\xa2   Discussed and coordinated our audit with DRR\xe2\x80\x99s Internal Review group.\n\nDOA administers a corporate-wide Records Management Program for which we\nperformed the following:\n\n   \xe2\x80\xa2   Reviewed DOA\xe2\x80\x99s Records Management Program and pertinent directives.\n   \xe2\x80\xa2   Discussed with DOA officials the handling, storage, and retrieval of failed\n       institution records.\n   \xe2\x80\xa2   Assessed DOA\xe2\x80\x99s storage contract with Iron Mountain and talked with DOA\n       contract oversight officials in Washington, D.C., regarding site visits and contract\n       employee practices relating to safeguarding personally identifiable information.\n   \xe2\x80\xa2   Reviewed the FDIC\xe2\x80\x99s Acquisition Policy Manual to identify provisions related to\n       Contractor Confidentiality Agreements and the Privacy Act and reviewed selected\n       contract files to determine whether appropriate provisions and clauses related to\n       privacy and confidentiality agreements had been included.\n\nInternal Controls\n\nWe gained an understanding of relevant control activities by reviewing (1) FDIC\nsecurity-related directives; (2) DRR policies, procedures, and practices for resolution and\nreceivership functions such as bank closings, asset disposition, claims, and terminations;\n(3) DRR\xe2\x80\x99s initiatives to enhance its privacy program; (4) DIT general rules of behavior\nfor utilizing FDIC information resources; and (5) DOA policies, procedures, and\npractices for the inventory, handling, storage, and retrieval of inactive failed institution\nrecords. We interviewed individuals in DRR, DIT, and DOA involved in protecting and\nsecuring personally identifiable information. Based on these reviews, we identified key\ninternal controls over hardcopy documents DRR obtained and generated at institution\nclosings as well as documents DRR was currently maintaining. In the course of our\naudit, we tested these controls.\n\nReliance on Computer-Based Data\n\nWe did not assess the reliability of computer-based data as it was not significant to\nmeeting our audit objectives.\n\nCompliance With Laws and Regulations, Government Performance and Results\nAct, and Fraud or Illegal Acts\n\nRegarding compliance with laws and regulations, the Background section of this report\ndiscusses various federal laws and guidance related to the protection of personally\nidentifiable information. We considered the FDIC\xe2\x80\x99s compliance with these laws and\nregulations in conducting our audit work. Appendix II lists the specific references to\npertinent laws, regulations, and FDIC policies. This report discusses steps that the FDIC\n\n\n                                             19\n\x0c                                                                             APPENDIX I\n\nhas taken to comply with the intent of these laws and guidance and contains one\nrecommendation for improvement in that regard.\n\nWe reviewed the FDIC\xe2\x80\x99s performance measures under the FDIC\xe2\x80\x99s Strategic Plan 2005-\n2010 and the FDIC\xe2\x80\x99s 2005 Annual Performance Plan. We also reviewed DRR\xe2\x80\x99s 2003,\n2004, and 2005 Strategic Plans. We determined that neither the FDIC nor DRR have\nperformance measures related to the protection of personally identifiable information.\n\nIn consideration of the potential misuse of personally identifiable information for identity\ntheft purposes, we were alert throughout the audit to the potential for fraud and illegal\nacts. Except for a security breach involving the personal information of current and\nformer FDIC employees, mentioned under the Summary of Prior Coverage below, no\ninstances came to our attention.\n\nSummary of Prior Coverage\n\nThe FDIC OIG has issued five prior reports related to safeguarding sensitive information\nor records storage.\n\n   \xe2\x80\xa2   On August 10, 2006, the OIG issued Audit Report No. 06-016, Controls Over the\n       Disposal of Sensitive FDIC Information by Iron Mountain, Inc. The objective of\n       the audit was to determine whether the FDIC had adequate controls for ensuring\n       the secure disposal of sensitive information by Iron Mountain. We reported that\n       the FDIC had established a number of key controls to ensure the secure disposal\n       of sensitive information by Iron Mountain. However, we also reported that the\n       FDIC needed to improve its oversight of the Iron Mountain contract to ensure that\n       controls designed to safeguard the disposal of sensitive information were\n       effectively implemented.\n\n   \xe2\x80\xa2   On January 6, 2006, the OIG issued Evaluation Report No. 06-005, FDIC\n       Safeguards Over Personal Employee Information. This audit was conducted in\n       response to a security breach involving unauthorized access to personal employee\n       information on a large number of current and former FDIC employees. The\n       objective of the review was to evaluate the FDIC\xe2\x80\x99s policies, procedures, and\n       practices for safeguarding personal employee information in hardcopy and\n       electronic form. We reported that the FDIC had a corporate-wide program for\n       protecting personal employee information, had appointed a CPO with\n       responsibility for privacy and data protection policy, and made efforts to enhance\n       its privacy program in response to legislative requirements and breaches of FDIC\n       employee information. We also identified opportunities for the FDIC to\n       strengthen its privacy program for protecting personal employee information.\n\n   \xe2\x80\xa2   On September 16, 2005, the OIG issued Report No. 05-033, Response to Privacy\n       Program Information Request in OMB\xe2\x80\x99s Fiscal Year 2005 Reporting Instructions\n       for FISMA and Agency Privacy Management, which addressed the status of the\n       FDIC\xe2\x80\x99s privacy program and related activities. This audit was conducted in\n\n\n                                             20\n\x0c                                                                        APPENDIX I\n\n    response to a request for privacy program information contained in OMB\xe2\x80\x99s\n    June 13, 2005, memorandum entitled, FY 2005 Reporting Instructions for the\n    Federal Information Security Management Act and Agency Privacy Management.\n    The objective of the audit was to determine the current status of the FDIC\xe2\x80\x99s\n    efforts to implement a corporate-wide privacy management program. We\n    concluded that although FDIC actions were positive, the FDIC needed to\n    complete a number of ongoing initiatives to ensure adequate protection of\n    personally identifiable employee information in compliance with federal privacy-\n    related statutes, policies, and guidelines.\n\n\xe2\x80\xa2   On September 30, 2004, the OIG issued Report No. 04-045, Records\n    Management and Storage. The objective of this audit was to determine whether\n    (1) the contract for records storage was cost-effective and (2) the FDIC\xe2\x80\x99s\n    procedures were consistent with other best practices in the federal government\n    and private industry. We concluded that the FDIC\xe2\x80\x99s contract with Iron Mountain,\n    Inc. for records storage could be more cost-effective.\n\n\xe2\x80\xa2   On February 14, 2003, the OIG issued Report No. 03-012, Control Over the Use\n    and Protection of Social Security Numbers by Federal Agencies, on the controls\n    over FDIC use and protection of SSNs. We conducted the review based on\n    congressional interest regarding the widespread sharing of personally identifiable\n    information and occurrences of identity theft. The Chairman, Subcommittee on\n    Social Security, House Ways and Means Committee, asked the President's\n    Council on Integrity and Efficiency (PCIE) to review federal agencies' methods\n    for disseminating and controlling SSN data collected from third parties. The\n    FDIC OIG, as a member of the PCIE, performed the audit to assess the adequacy\n    of the FDIC's control over the use and protection of SSN information. In\n    conducting the audit, we focused on SSN information about non-employees such\n    as depositors, debtors, and loan guarantors that was obtained from failing\n    financial institutions insured by the FDIC. We concluded that third-party access\n    to and use of SSNs and other personally identifiable information was not\n    adequately controlled and monitored.\n\n\n\n\n                                        21\n\x0c                                                                                         APPENDIX II\n\n\n  LAWS, REGULATIONS, AND FDIC DIRECTIVES APPLICABLE TO DRR\xe2\x80\x99S\n    PROTECTION OF PERSONALLY IDENTIFIABLE INFORMATION\n\nLaws, Regulations & Policies            Description\nPrivacy Act of 1974                     Provides specific guidance to federal agencies, including the\n                                        FDIC, on the control and release of agency records that relate to\n                                        individuals. The Act establishes safeguards for the protection of\n                                        records the federal government collects and maintains on\n                                        individuals.\n\nE-Government Act of 2002                Establishes a broad framework of measures requiring use of\n(Federal Information Security           Internet-based information technology to enhance citizen access to\nManagement Act (FISMA))                 government information and increase citizen participation;\n                                        improve government efficiency and reduce government costs; and\n                                        promote interagency collaboration in providing electronic\n                                        government services to citizens and use of internal electronic\n                                        government processes to improve efficiency and services\n                                        provided. Section 208 of Title II of the Act, applicable to the\n                                        FDIC, includes procedures to ensure the privacy of personal\n                                        information in electronic records, including agency preparation of\n                                        PIAs on agency information systems. Title III of the Act, or\n                                        FISMA, contains a number of provisions dealing with the\n                                        protection of information in agency information systems, as well\n                                        as other security-related matters. Many of these provisions apply\n                                        to the FDIC.\n\nSection 522 of the Transportation,      Requires federal agencies, including the FDIC, to designate a\nTreasury, Independent Agencies, and     Chief Privacy Officer to carry out duties relating to the privacy and\nGeneral Government Appropriations       protection of personally identifiable information collected and\nAct, 2005                               used by federal agencies. The requirements include safeguarding\n                                        information systems from intrusions, unauthorized disclosures, and\n                                        disruption or damage.\n\nNARA: Title 36 Code of Federal          According to these regulations, promulgated by the NARA,\nRegulations, sections 1220.36 et seq.   agencies must institute adequate records management controls\n                                        over the maintenance and use of records wherever they are located\n                                        to ensure that all records, regardless of format or medium, are\n                                        organized, classified, and described to promote their accessibility\n                                        and make them available for use by all appropriate agency staff for\n                                        their authorized retention period. Agencies must ensure that they\n                                        maintain adequate information about their records moved to an\n                                        off-site records storage facility. Agencies must ensure the proper,\n                                        authorized disposition of their records and must periodically\n                                        evaluate records management programs. The FDIC follows\n                                        NARA\xe2\x80\x99s regulations as a matter of policy.\n\n                                        NARA publishes handbooks, conducts training sessions, and\n                                        furnishes information and guidance to federal agencies about the\n                                        creation of records, their maintenance and use, and their\n                                        disposition.\n\n\n\n\n                                                    22\n\x0c                                                                                        APPENDIX II\n\nLaws, Regulations & Policies              Description\nOMB Circular No. A-130                    Establishes policies for federal agencies for the management of\nManagement of Federal Information         federal information resources, including automated\nResources                                 information systems. Appendix I of the circular specifically\n                                          covers agency responsibilities, including those of the FDIC, for\n                                          implementing the reporting and publication requirements of the\n                                          Privacy Act.\n\nFDIC Circular 6371.1, Bidders List        Establishes a process for preparing and clearing the bidders list\nPreparation and Clearance Process         used in resolving failing institutions. DRR will forward only\n                                          the names of interested bidders to the Division of Supervision\n                                          and Consumer Protection, which is responsible for pre-\n                                          approving potential bidders for failing institutions and for\n                                          assessing the risk to the deposit insurance fund(s) posed by\n                                          potential resolution transactions.\n\nFDIC Circular 1031.1, Administration of   Updates procedures and provides guidance for the appropriate\nthe Privacy Act                           collection, maintenance, use and/or dissemination of records\n                                          subject to the Privacy Act of 1974.\n\nFDIC Circular 1210.1, FDIC Records        Provides updated guidelines applicable to the maintenance and\nRetention and Disposition Schedule        disposition of records.\n\nFDIC Circular 1210.4, Records             Defines responsibilities for managing the records disposition\nDisposition                               process and the actions to be taken when records are no longer\n                                          needed to conduct business.\n\nFDIC Circular 1210.16, Standards for      Establishes standards for inventories of failed institution\nCreating Records Inventories              records. The circular distinguishes between inactive and active\n                                          records, requiring that inactive records be stored off-site.\n\nFDIC Circular 1210.18, FDIC Records       Defines the FDIC\xe2\x80\x99s Records Management Program. The\nManagement Program                        circular describes records, recordkeeping, maintenance, use,\n                                          and disposition procedures. It requires that ARMS be used by\n                                          divisions and offices to inventory, physically track, and\n                                          research both corporate and institution records. Use of this\n                                          system is mandatory for all inactive records stored off-site and\n                                          for the active asset/credit files of failed institutions.\n\nFDIC Circular, 1301.3, Data               Establish business accountability and responsibility for\nStewardship Program                       managing and sharing corporate data.\n\nFDIC Circular 1310.3, Information         Updates policies and responsibilities applicable to the FDIC IT\nTechnology Security Risk Management       Security Risk Management Program.\nProgram\n\nFDIC Circular 1360.1, Automated           Assigns roles and responsibilities for ensuring adequate levels\nInformation Systems (AIS) Security        of protection for FDIC automated information systems and the\nProgram                                   information processed, stored, or transmitted by them; and\n                                          establishes a base program framework for organization-wide\n                                          IT security program objectives.\n\n\n\n\n                                                  23\n\x0c                                                                                         APPENDIX II\n\nLaws, Regulations & Policies                Description\nFDIC Circular 1360.8, Information           Provides a standard framework for categorizing all information\nSecurity Categorization                     collected or maintained by or on behalf of the FDIC for the\n                                            purpose of providing appropriate levels of information security\n                                            according to a range of risk levels.\n\nFDIC Circular 1360.15, Access Control       Revises policies and roles and responsibilities for managing\nfor Automated Information Systems           access to FDIC automated information systems and data.\n\nDRR Circular 1360.1, Information            Restates the division\xe2\x80\x99s commitment to the protection of\nSecurity Responsibilities                   information systems against unauthorized access to or\n                                            modification of information and against the denial of service to\n                                            authorized users. Also, it restates the division\xe2\x80\x99s commitment\n                                            to safeguarding the Corporation\xe2\x80\x99s data and to update security\n                                            procedures for the division\xe2\x80\x99s information systems.\n\n\nDRR Circular 7010.1, Request by             Advises employees that records should contain only such\nDebtors of Failed Institutions for Copies   information about an individual as is relevant and necessary to\nof Their Loan Files, Notes, and Other       accomplish a purpose of the agency and the circumstances\nLoan Related Documents                      when information in the system of records may be disclosed to\n                                            parties other than the debtor.\n\nDRR Circular 7220.5, Protecting             Establishes DRR\xe2\x80\x99s policy on the protection of information\nBorrower Identity                           related to the identity of borrowers and guarantors when\n                                            offering loans and other debts for sale.\n\n\n\n\n                                                    24\n\x0c                                                                                      APPENDIX III\n\n\n        STATUS OF PRIVACY IMPACT ASSESSMENTS FOR DRR DATA SYSTEMS\n\n                                               DRR Data           Additional DRR         DRR Data Systems\n                                              Systems With       Data Systems With        Assessed by DRR\n DRR Data Systems That May Contain\n                                             Completed PIAs       Completed PIAs           and DIT as Not\n  Personally Identifiable Information\n                                             (as of 10/31/05)      (as of 5/31/06)          Needing PIAs\nAsset Marketing System (AMS)                                                                     9\nAsset Reporting Information System                                                               9\n(ARIS)\nAsset Servicing Technology Enhancement                                    9\nProgram (ASTEP)\nBest Bank Credit Card System (BBCC)                                       9\nCollateral and Possessory System (CAPS)                                                          9\nCombined Asset Reporting Database                   9\n(CARD)\nCredit Notation System (CNS)                        9\nCustomer Service Contact System (CSCS)                                                           9\nControl Totals Module (CTM)                         9\nDividend Processing System (DPS)                    9\nDRR Locator and Reporting System                    9\n(DOLLARS)\nFDIC Automated Corporate Tracking                                         9\nSystem (FACTS)\nFDIC Real Estate Retrieval System                                                                9\n(DRRORE)\nFDIC SALES                                                                9\nFDIC Unclaimed Funds System (FUNDS)                                       9\nINTRALINKS                                                                                       9\nNational Asset Inventory System (NAIS)              9\nNational Inventory System (NIS)                     9\nNational Insurance System Extranet Web              9\nPage (NISExt)\nNational Processing System (NPS)                                                                 9\nOverarching Automation System (OASIS)               9\nOwned Real Estate System (ORES)                     9\nPension Tracking System (PENTRACK)                                        9\nPROFORMA (PROFORMA)                                                                              9\nReceivership Liability System (RLS)                 9\nRisk Analysis and Value Estimation System                                 9\n(RAVEN*)\nSecuritization Transactions Asset and                                                            9\nCertification Database (STAC*)\nServicing Request Tracking System II                9\n(STSII)\nSubsidiary Information Management                                                                9\nNetwork (SIMAN)\nWarranties and Representations Accounts                                   9\nProcessing System (WRAPS*)\nTotals          30                                  12                    8                      10\n    Source: OIG analysis of information from the DRR Business Project Manager\xe2\x80\x99s Group.\n    *\n     DRR identified three data systems (RAVEN, STAC, and WRAPS) in addition to the initial 27 data\n    systems the OIG had asked DRR to review. Hence, we have included 30 DRR data systems.\n\n\n\n\n                                                     25\n\x0cAppendix IV\n\x0cAppendix IV\n\x0c     APPENDIX IV\n\n\n\n\n28\n\x0c                                                                                                                                               APPENDIX V\n\n                                           MANAGEMENT RESPONSE TO RECOMMENDATION\nThis table presents the management response on the recommendation in our report and the status of the recommendation as of the date\nof report issuance.\n\n                                                                                                                                         Open\n                                                                                                                            a\n                                                                     Expected               Monetary             Resolved:                or\n         Corrective Action for the Recommendation:                  Completion              Benefits             Yes or No              Closedb\n                  Taken or Planned/Status                              Date\n     DRR is forming a working group, which, in consultation\n     with DOA and others, will develop records management\n     guidance specific to DRR\xe2\x80\x99s needs. The guidance will            June 30, 2007              NA                    Yes                 Open\n     address inventorying, maintaining, using, accounting for,\n     and controlling hardcopy records that contain personally\n     identifiable information.\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.\n               (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n               (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long\n              as management provides an amount.\nb\n    Once the OIG determines that the agreed-upon corrective actions have been completed and are effective, the recommendation can be closed.\n\n\n\n\n                                                                               29\n\x0c"